Adobe closed a hole in its Acrobat and Adobe Reader products on Monday, following RealNetworks' fast fix of a vulnerability in its RealPlayer on Friday.
The security vulnerability in RealPlayer, currently being exploited by an attack uncovered by Symantec last week, affects versions 10.5 and the beta of version 11 of the media player. In an advisory, RealNetworks called the issue a critical vulnerability and recommended that users update their software.
Adobe fixed a flaw on Monday revealed a month ago by hacking group GnuCitizen.org. At the time, GnuCitizen's founder Petko D. Petkov, also known as "pdp," did not reveal details of the flaws. On Tuesday, e-mail messages carrying a program to exploit the flaw started appearing in inboxes, according to Symantec. Adobe recommended that users running its document-reading software on Windows XP and Internet Explorer 7 update the programs to the latest version.
The two flaws only affect Windows users. The time taken by the companies to fix the flaws also provides interesting fodder for the disclosure debate: An active attack led RealPlayer to fix its flaw in a day, while Adobe took a month -- still considered fast by most software company standards -- to patch the vulnerability reported to it through limited public disclosure.
SecurityFocus is a wholly-owned subsidiary of Symantec.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos